- Download modules from GitHub links below*
- Save to a server with Active Directory Powershell Tools
- Customise Global_Variables.ps1 as required (variables apply to all modules)
- Customise Module_Variables.ps1 as required (variables apply to this module)
- Review the plugins (reorder, remove, update thresholds etc)
- Run the report Get-SAMReport Certificates [Email/OnScreen]
*I encourage you to review and understand any script downloaded from the internet. Also ensure to "unblock" each .ps1 files (Right click | Properties | Unblock), to avoid the [D] Do not run [R] Run once [S] Suspend security prompts.
Overview
The result is a rich report with clear status indicators giving you an instant overview and the details to back it up.
Picture 1. Sample Report showing plugins for the stores in a typical certificate chain
Plugins
The independent plugin system is very flexible and provides an easy way to only report on information that you need. The template style provides a consistent output, but also makes it easy to adapt or add new plugins. The warnings or alerts are based on a failed test or data falling outside of thresholds that you can define.
Each plugin can generate four types of output:
- Results Text (html formatted)
- Results Data (html formatted table)
- Results Status (Alert, Warning, Good colour codes)
- A File (either saved to the \output folder or included as an email attachment)
About the Certificates Module
UPDATE: The report now includes a check for a key length that is less than 2048 bits.
The report will list details for all certificates in the relevant stores, for all of your servers. There is even an option to log and remove any expired certificates.
This is a list of the current plugins for the Certificates module, which cover the certificate stores for a typical certificate chain:
- 00 Module Variables.ps1 (loads AD snap-in, sets server scope, log file location etc)
- 01 List Personal Certificates.ps1
- 02 List Intermediate Certificates.ps1
- 03 List 3rd Party Root Certificates.ps1
- 04 List Trusted Root Certificates.ps1
#Reporting variables
$MaxDays = 1095
$WarnDays = 90
$AlertDays = 30
$WarnKeySize = 2048
#Certificate Store Properties
$StoreLocation = "LocalMachine" #"LocalMachine","CurrentUser"
$StoreName = "My" #"My","CA","AuthRoot","Root"
$OpenFlag = "ReadWrite" #"ReadOnly","ReadWrite"
#Purge Variable
$PurgeExpired = $False #$True or $False
$PurgeDays = -90
This is the core of each script, to show how it collects info from each store and builds it into the main report.
#Create an Array and run query
$ResultsData = @()
foreach ($Server in $Servers) {
if (Test-Connection -computername $Server -count 1 -quiet){
$stores = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\$Server\$StoreName",$StoreLocation)
$stores.Open($OpenFlag)
$Certificates = $stores.Certificates | Select FriendlyName, serialNumber, Issuer, Subject, PublicKey, @{Label="Expires";Expression={($_.NotAfter)}}, @{Label="Days";Expression={($_.NotAfter - (Get-Date)).Days}}
Add-content -path $Logfile -value "Server: $Server"
Add-content -path $Logfile -value "Store: $StoreLocation\$StoreName"
Add-content -path $Logfile -value " "
foreach ($Certificate in $Certificates) {
#Build Report
if ($Certificate.Issuer -ne $null -and $Certificate.days -lt $MaxDays){
$obj = New-Object PSobject
$obj | Add-Member -MemberType NoteProperty -name "Server" -value $Server
$obj | Add-Member -MemberType NoteProperty -name "Name" -value $Certificate.FriendlyName
$obj | Add-Member -MemberType NoteProperty -name "Issuer" -value $Certificate.Issuer
$obj | Add-Member -MemberType NoteProperty -name "Subject" -value $Certificate.Subject
$obj | Add-Member -MemberType NoteProperty -name "Key Size" -value $Certificate.PublicKey.key.KeySize
$obj | Add-Member -MemberType NoteProperty -name "Expires" -value $Certificate.Expires
$obj | Add-Member -MemberType NoteProperty -name "Days" -value $Certificate.Days
$ResultsData += $obj
# Update Text and Alert count based on your criteria
$Name = $Certificate.FriendlyName
$Days = $Certificate.Days
$Size = $Certificate.PublicKey.key.KeySize
if ($Days -lt 0){
$AlertText += "!RED!Alert: Certificate $Name on $Server has expired "
$AlertCount += $AlertCount.count + 1
}
elseif ($Days -lt $AlertDays){
$AlertText += "!RED!Alert: Certificate $Name on $Server is expiring in $Days days"
$AlertCount += $AlertCount.count + 1
}
elseif ($Days -lt $WarnDays){
$WarningText += "!ORANGE!Warning: Certificate $Name on $Server is expiring in $Days days"
$WarningCount += $WarningCount.count + 1
}
if ($Size -lt $WarnKeySize){
$WarningText += "!ORANGE!Warning: Certificate $Name on $Server does not meet minimum key size of $WarnKeySize"
$WarningCount += $WarningCount.count + 1
}
}
#Log and Purge Old Certs
If ($PurgeExpired -eq $True){
$Name = $Certificate.FriendlyName
$Issuer = $Certificate.Issuer
$Subject = $Certificate.Subject
$Expired = $Certificate.Expires
$Days = $Certificate.Days
$SerialNumber = $Certificate.serialNumber
if ($Certificate.Issuer -ne $null -and $Certificate.days -lt $PurgeDays){
Add-content -path $Logfile -value "Name: $Name"
Add-content -path $Logfile -value "Issuer: $Issuer"
Add-content -path $Logfile -value "Subject: $Subject"
Add-content -path $Logfile -value "Expired: $Expired"
Add-content -path $Logfile -value "Days: $Days"
Add-content -path $Logfile -value " "
$PurgeCert = $stores.Certificates.Find("FindBySerialNumber",$SerialNumber,$FALSE)[0]
$stores.Remove($PurgeCert)
$ExpiredCount += $ExpiredCount.count + 1
}
}
}
Add-content -path $Logfile -value "$Server Completed (Purge = $PurgeExpired). $ExpiredCount expired certificates deleted."
Add-content -path $Logfile -value "-------------------------------------------------------------------"
Add-content -path $Logfile -value " "
$ExpiredCount = 0
$stores.Close()
}
}
More Info
This is a community driven project if you have any suggestion or module scripts you have created, I would love to include them here - with full mudos to you of course.
See the main SysAdmin Modular Reports page for more details, including working with Scheduled Tasks and downloads for other modules.
Cheers,
(__)
(oo) ok
/------\/ /
/ | ||
* /\---/\
^^ ^^
May I make a suggestion? I would think the certificate purge flags might want to -all- be set $false by default (several are currently set to $true in the code). I wasn't really expecting something advertised as a "reporting" tool make changes to my servers. Yes, my fault for not reviewing the code more closely, but when I found the first option set to $false, I assumed the rest would be as well...
ReplyDeleteI can't emphasise enough how important it is to review and understand any script you download from the internet.
DeleteThe scripts were posted as I use them in production and you can take solace that any certificates deleted were expired for at least 3 months and were well and truly of no use (do have a look at the logs which shows all of the purged certificate details). Having said that, this is first and foremost a reporting tool and I agree that by default they should not make changes to your environment. All scripts have been updated and reposted accordingly.
TAC